Indala car wash

tristanik · 2018-09-28 23:14:02

Hello my friends
I have a card for a car wash. Proxmark tells me it's Indala, but I've also tried other t55xx commands.
Do you have any ideas to give me?

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-422-gb8a9231-suspect 2018-09-24 14:33:05
os: master/v3.0.1-422-gb8a9231-suspect 2018-09-24 14:33:08
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
SmartCard Slot: not available

uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 193327 bytes (74%). Free: 68817 bytes (26%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> lf t55xx config
Chip Type : T55x7
Modulation : ASK
Bit Rate : 0 - RF/8
Inverted : No
Offset : 0
Seq. Term. : No
Block0 : 0x00000000

proxmark3> lf t55xx detect
Chip Type : T55x7
Modulation : ASK
Bit Rate : 5 - RF/64
Inverted : No
Offset : 32
Seq. Term. : No
Block0 : 0x00148010

proxmark3> lf t55xx info

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 5 - RF/64
eXtended mode : No
Modulation : 8 - Manchester
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 0
Password mode : Yes
Sequence Start Terminator : No
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x00148010 00000000000101001000000000010000
-------------------------------------------------------------

proxmark3> lf t55xx special
OFFSET | DATA | BINARY
----------------------------------------------------
00 | 0x00148010 | 00000000000101001000000000010000
01 | 0x00290020 | 00000000001010010000000000100000
02 | 0x00520040 | 00000000010100100000000001000000
03 | 0x00A40080 | 00000000101001000000000010000000
04 | 0x01480100 | 00000001010010000000000100000000
05 | 0x02900200 | 00000010100100000000001000000000
06 | 0x05200400 | 00000101001000000000010000000000
07 | 0x0A400800 | 00001010010000000000100000000000
08 | 0x14801000 | 00010100100000000001000000000000
09 | 0x29002000 | 00101001000000000010000000000000
10 | 0x52004000 | 01010010000000000100000000000000
11 | 0xA4008000 | 10100100000000001000000000000000
12 | 0x48010001 | 01001000000000010000000000000001
13 | 0x90020002 | 10010000000000100000000000000010
14 | 0x20040005 | 00100000000001000000000000000101
15 | 0x4008000A | 01000000000010000000000000001010
16 | 0x80100014 | 10000000000100000000000000010100
17 | 0x00200029 | 00000000001000000000000000101001
18 | 0x00400052 | 00000000010000000000000001010010
19 | 0x008000A4 | 00000000100000000000000010100100
20 | 0x01000148 | 00000001000000000000000101001000
21 | 0x02000290 | 00000010000000000000001010010000
22 | 0x04000520 | 00000100000000000000010100100000
23 | 0x08000A40 | 00001000000000000000101001000000
24 | 0x10001480 | 00010000000000000001010010000000
25 | 0x20002900 | 00100000000000000010100100000000
26 | 0x40005200 | 01000000000000000101001000000000
27 | 0x8000A400 | 10000000000000001010010000000000
28 | 0x00014801 | 00000000000000010100100000000001
29 | 0x00029002 | 00000000000000101001000000000010
30 | 0x00052004 | 00000000000001010010000000000100
31 | 0x000A4008 | 00000000000010100100000000001000
32 | 0x00148010 | 00000000000101001000000000010000
33 | 0x00290020 | 00000000001010010000000000100000
34 | 0x00520040 | 00000000010100100000000001000000
35 | 0x00A40080 | 00000000101001000000000010000000
36 | 0x01480100 | 00000001010010000000000100000000
37 | 0x02900200 | 00000010100100000000001000000000
38 | 0x05200400 | 00000101001000000000010000000000
39 | 0x0A400800 | 00001010010000000000100000000000
40 | 0x14801000 | 00010100100000000001000000000000
41 | 0x29002000 | 00101001000000000010000000000000
42 | 0x52004000 | 01010010000000000100000000000000
43 | 0xA4008000 | 10100100000000001000000000000000
44 | 0x48010001 | 01001000000000010000000000000001
45 | 0x90020002 | 10010000000000100000000000000010
46 | 0x20040005 | 00100000000001000000000000000101
47 | 0x4008000A | 01000000000010000000000000001010
48 | 0x80100014 | 10000000000100000000000000010100
49 | 0x00200029 | 00000000001000000000000000101001
50 | 0x00400052 | 00000000010000000000000001010010
51 | 0x008000A4 | 00000000100000000000000010100100
52 | 0x01000148 | 00000001000000000000000101001000
53 | 0x02000290 | 00000010000000000000001010010000
54 | 0x04000520 | 00000100000000000000010100100000
55 | 0x08000A40 | 00001000000000000000101001000000
56 | 0x10001480 | 00010000000000000001010010000000
57 | 0x20002900 | 00100000000000000010100100000000
58 | 0x40005200 | 01000000000000000101001000000000
59 | 0x8000A400 | 10000000000000001010010000000000
60 | 0x00014801 | 00000000000000010100100000000001
61 | 0x00029002 | 00000000000000101001000000000010
62 | 0x00052004 | 00000000000001010010000000000100
63 | 0x000A4008 | 00000000000010100100000000001000

tristanik · 2018-09-28 23:16:24

proxmark3> lf t55xx read
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
255 | 00148010 | 00000000000101001000000000010000

tristanik · 2018-09-28 23:19:20

proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 00148010 | 00000000000101001000000000010000
1 | 00148010 | 00000000000101001000000000010000
2 | 00148010 | 00000000000101001000000000010000
3 | 00148010 | 00000000000101001000000000010000
4 | 00148010 | 00000000000101001000000000010000
5 | 00148010 | 00000000000101001000000000010000
6 | 00148010 | 00000000000101001000000000010000
7 | 00148010 | 00000000000101001000000000010000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 2537887C | 00100101001101111000100001111100
1 | 2537887C | 00100101001101111000100001111100
2 | 2537887C | 00100101001101111000100001111100
3 | 2537887C | 00100101001101111000100001111100

tristanik · 2018-09-28 23:21:03

proxmark3> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

No Known Tags Found!

Checking for Unknown tags:

Possible Auto Correlation of 2048 repeating samples

Using Clock:64, Invert:0, Bits Found:466
ASK/Manchester - Clock: 64 - Decoded bitstream:
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
10

Unknown ASK Modulated and Manchester encoded Tag Found!

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'

Valid T55xx Chip Found
Try lf t55xx ... commands

tristanik · 2018-10-11 22:13:48

pm3 --> lf t55xx trace
-- T55x7 Trace Information ----------------------------------
-------------------------------------------------------------
ACL Allocation class (ISO/IEC 15963-1) : 0xE0 (224)
MFC Manufacturer ID (ISO/IEC 7816-6) : 0x15 (21) - ATMEL France
CID : 0x01 (1) - ATA5577M1
ICR IC Revision : 2
Manufactured
Year/Quarter : 2017/1
Lot ID : 595
Wafer number : 15
Die Number : 2165
-------------------------------------------------------------
Raw Data - Page 1
Block 1 : 0xE0150A74 11100000000101010000101001110100
Block 2 : 0x25378875 00100101001101111000100001110101
-------------------------------------------------------------

marshmellow · 2018-10-13 00:42:19

Hello my friends
I have a card for a car wash. Proxmark tells me it's Indala, but I've also tried other t55xx commands.
Do you have any ideas to give me?

You have not expressed what you'd like to do or know... this is why no one has offered any help.

tristanik · 2018-10-13 06:32:02

ok, thanks Marshmellow. I can not figure out where the credit is written and why the blocks are all the same.

iceman · 2018-10-13 10:17:02

.... lf t55 dump ... and share it...

tristanik · 2018-10-13 19:16:40

pm3 --> lf t55 dump
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 00148010 | 00000000000101001000000000010000 | ....
01 | 00148010 | 00000000000101001000000000010000 | ....
02 | 00148010 | 00000000000101001000000000010000 | ....
03 | 00148010 | 00000000000101001000000000010000 | ....
04 | 00148010 | 00000000000101001000000000010000 | ....
05 | 00148010 | 00000000000101001000000000010000 | ....
06 | 00148010 | 00000000000101001000000000010000 | ....
07 | 00148010 | 00000000000101001000000000010000 | ....
Reading Page 1:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 2537887C | 00100101001101111000100001111100 | %7.|
01 | 2537887C | 00100101001101111000100001111100 | %7.|
02 | 2537887C | 00100101001101111000100001111100 | %7.|
03 | 2537887C | 00100101001101111000100001111100 | %7.|

iceman · 2018-10-14 08:03:46

that looks like someone wrote the config block over the whole card.... Your dump data looks just wrong

tristanik · 2019-02-20 18:17:57

proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 00148010 | 00000000000101001000000000010000
1 | 00148010 | 00000000000101001000000000010000
2 | 00148010 | 00000000000101001000000000010000
3 | 00148010 | 00000000000101001000000000010000
4 | 00148010 | 00000000000101001000000000010000
5 | 00148010 | 00000000000101001000000000010000
6 | 00148010 | 00000000000101001000000000010000
7 | 00148010 | 00000000000101001000000000010000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 2536840F | 00100101001101101000010000001111
1 | 2536840F | 00100101001101101000010000001111
2 | 2536840F | 00100101001101101000010000001111
3 | 2536840F | 00100101001101101000010000001111
proxmark3> lf t55xx trace
-- T55x7 Trace Information ----------------------------------
-------------------------------------------------------------
ACL Allocation class (ISO/IEC 15963-1) : 0xE0 (224)
MFC Manufacturer ID (ISO/IEC 7816-6) : 0x15 (21) - ATMEL France
CID : 0x01 (1) - ATA5577M1
ICR IC Revision : 2
Manufactured
Year/Quarter : 2017/1
Lot ID : 595
Wafer number : 13
Die Number : 1039
-------------------------------------------------------------
Raw Data - Page 1
Block 1 : 0xE0150A74 11100000000101010000101001110100
Block 2 : 0x2536840F 00100101001101101000010000001111
-------------------------------------------------------------

tristanik · 2019-02-20 18:19:04

This is other card. Any idea?

iceman · 2019-02-20 19:00:30

same thing, the config block is all over the dump..

tristanik · 2019-02-20 22:22:04

what could be the reason?

iceman · 2019-02-20 22:44:55

I have no idea but maybe a bad programmed tag?

marshmellow · 2019-02-20 23:53:14

That is how a password protected t55xx tag responds.. page 0 block 1 is displayed for all page 0 blocks on a page 0 read block cmds, and page 1 block 1 is displayed for all page 1 read block cmds.

It just happens that your block 1 data looks like block 0 (config) data

tristanik · 2019-02-21 18:37:31

How can I find out the password? if I try to do a bruteforce, I always have the first password in the list, but then it does not turn out to be the valid one.
proxmark3> lf t55xx bruteforce aaaaaaaa bbbbbbbb
Search password range [AAAAAAAA -> BBBBBBBB]
.Chip Type : T55x7
Modulation : ASK
Bit Rate : 5 - RF/64
Inverted : No
Offset : 32
Seq. Term. : No
Block0 : 0x00148010

Found valid password: [aaaaaaaa]
-----------------------------------------------------------------------------
proxmark3> lf t55xx bruteforce i default_pwd.dic
chk custom pwd[ 0] 51243648
chk custom pwd[ 1] 000D8787
chk custom pwd[ 2] 00000000
chk custom pwd[ 3] 11111111
chk custom pwd[ 4] 22222222
chk custom pwd[ 5] 33333333
chk custom pwd[ 6] 44444444
chk custom pwd[ 7] 55555555
chk custom pwd[ 8] 66666666
chk custom pwd[ 9] 77777777
chk custom pwd[10] 88888888
chk custom pwd[11] 99999999
chk custom pwd[12] AAAAAAAA
chk custom pwd[13] BBBBBBBB
chk custom pwd[14] CCCCCCCC
chk custom pwd[15] DDDDDDDD
chk custom pwd[16] EEEEEEEE
chk custom pwd[17] FFFFFFFF
chk custom pwd[18] A0A1A2A3
chk custom pwd[19] B0B1B2B3
chk custom pwd[20] AABBCCDD
chk custom pwd[21] BBCCDDEE
chk custom pwd[22] CCDDEEFF
chk custom pwd[23] 00000001
chk custom pwd[24] 00000002
chk custom pwd[25] 0000000A
chk custom pwd[26] 0000000B
chk custom pwd[27] 01020304
chk custom pwd[28] 02030405
chk custom pwd[29] 03040506
chk custom pwd[30] 04050607
chk custom pwd[31] 05060708
chk custom pwd[32] 06070809
chk custom pwd[33] 0708090A
chk custom pwd[34] 08090A0B
chk custom pwd[35] 090A0B0C
chk custom pwd[36] 0A0B0C0D
chk custom pwd[37] 0B0C0D0E
chk custom pwd[38] 0C0D0E0F
chk custom pwd[39] 01234567
chk custom pwd[40] 12345678
chk custom pwd[41] 10000000
chk custom pwd[42] 20000000
chk custom pwd[43] 30000000
chk custom pwd[44] 40000000
chk custom pwd[45] 50000000
chk custom pwd[46] 60000000
chk custom pwd[47] 70000000
chk custom pwd[48] 80000000
chk custom pwd[49] 90000000
chk custom pwd[50] A0000000
chk custom pwd[51] B0000000
chk custom pwd[52] C0000000
chk custom pwd[53] D0000000
chk custom pwd[54] E0000000
chk custom pwd[55] F0000000
chk custom pwd[56] 10101010
chk custom pwd[57] 01010101
chk custom pwd[58] 11223344
chk custom pwd[59] 22334455
chk custom pwd[60] 33445566
chk custom pwd[61] 44556677
chk custom pwd[62] 55667788
chk custom pwd[63] 66778899
chk custom pwd[64] 778899AA
chk custom pwd[65] 8899AABB
chk custom pwd[66] 99AABBCC
chk custom pwd[67] AABBCCDD
chk custom pwd[68] BBCCDDEE
chk custom pwd[69] CCDDEEFF
chk custom pwd[70] 0CB7E7FC
chk custom pwd[71] FABADA11
chk custom pwd[72] 65857569
Loaded 73 keys
Testing 51243648
Chip Type : T55x7
Modulation : ASK
Bit Rate : 5 - RF/64
Inverted : No
Offset : 32
Seq. Term. : No
Block0 : 0x00148010

Found valid password: [51243648]

marshmellow · 2019-02-22 01:14:29

Lol, yeah it would do that (output false positive) as coded currently for your tag...

Best way to get the password is to Snoop a genuine reader reading that card

tristanik · 2019-02-28 14:13:12

What is the exact procedure for doing the snoop? I can not understand

merlok · 2019-03-08 20:22:28

The t5577 just sends code from its memory when it powered by field.
and when it dont see command it just sends that code
so
if we see not changing wave after several lf t55 read b X - it looks like the t5577 have password or have some other type reader-chip communication (it have 4 types)

Proxmark3 community

Announcement

#1 2018-09-28 23:14:02

Indala car wash

#2 2018-09-28 23:16:24

Re: Indala car wash

#3 2018-09-28 23:19:20

Re: Indala car wash

#4 2018-09-28 23:21:03

Re: Indala car wash

#5 2018-10-11 22:13:48

Re: Indala car wash

#6 2018-10-13 00:42:19

Re: Indala car wash

#7 2018-10-13 06:32:02

Re: Indala car wash

#8 2018-10-13 10:17:02

Re: Indala car wash

#9 2018-10-13 19:16:40

Re: Indala car wash

#10 2018-10-14 08:03:46

Re: Indala car wash

#11 2019-02-20 18:17:57

Re: Indala car wash

#12 2019-02-20 18:19:04

Re: Indala car wash

#13 2019-02-20 19:00:30

Re: Indala car wash

#14 2019-02-20 22:22:04

Re: Indala car wash

#15 2019-02-20 22:44:55

Re: Indala car wash

#16 2019-02-20 23:53:14

Re: Indala car wash

#17 2019-02-21 18:37:31

Re: Indala car wash

#18 2019-02-22 01:14:29

Re: Indala car wash

#19 2019-02-28 14:13:12

Re: Indala car wash

#20 2019-03-08 20:22:28

Re: Indala car wash

Board footer